Late Tuesday Facebook said it had discovered what was causing the problem.

"During this spam attack, users were tricked into pasting and executing malicious javascript in their browser URL bar causing them to unknowingly share this offensive content," Facebook Spokesman Andrew Noyes said in a statement. "Our engineers have been working diligently on this self-XSS vulnerability in the browser."